What is SIPVicious ? The ultimate VoIP pentest tool

In cybersecurity the border between ethical hacking and regular hacking is often thin. SIPVicious is a perfect example of this phenomenon : made for security professionals, it is also widely used by criminals to identify and exploit SIP networks vulnerabilities. Let’s discover how it is used by both parts.

What is SIPVicious ? 

SIPVicious is a suite of hacking tools dedicated to vulnerability scanning on VoIP networks. It is developed by the company Enable Security offering a wide range of services like security audits or training to protect RTC and SIP networks. 

SIPVicious is an “offensive security tool” : it has an adversarial approach and is mainly used in pentest operations. 

SIPVicious is an open-source tool suite, its code can be downloaded on the Enable Security’s github

Offensive pentest tools

SIPVicious is composed of 5 tools :

Svmap is a SIP scanner, it is used to identify SIP servers : when deployed on a target IP address svmap can list SIP devices and PBX servers. It can be used for network listing/inventory to complete the catalog of the network’s components.

Svwar allows users to discover the active extensions on a target PBX server. It says if the extension is registered or non-registered and if it needs authentication or not.

Svcrack is used to crack passwords of the central server or registrar. It has to be combined with wordlists or numberlists: it is a brute force sip tool.

Svreport lets users display all the scans made with svmap and svwar and export them to stdout, pdf, xml, csv or txt. User can also delete any scan, display statistics and search for a given string in the user agent.

Svcrash is a response tool to protect sip networks against svwar and svcrack requests. It blocks SIP floods made by attackers using svwar.

SIPVicious requirements

Operating systems

SIPVicious can be launched on Linux, MacOs and Windows. It can also be used on the Docker platform. 

Also SIPVicious is made of Python scripts so you will need to install the Python compiler on your computer.

Hardware

The software doesn’t require a lot of resources, a 512MB Memory hardware is enough to run sip vicious. The only limitation for small resources computers concerns the SIP flooding feature : the intensity of the attack will depend on the ressources of your machine.

How is SIPVicious used?

SIP pentest 

SIPVicious is mainly used by ethical hackers for security audits of SIP based VoIP systems. During penetration testing operations, IT professionals are scanning the network and attempting to crack sip accounts. These simulated cyberattacks allow companies to know their network vulnerabilities and weaknesses. 

SIPVicious attack

Many hackers use SIPVicious to perform reconnaissance and gather information about IP/VoIP phones and PBX systems.

Friendly scanner/SIP DDoS 

Like every tool that can be distorted from its initial purpose, sip vicious is often used to perform real hacks.

A lot of companies and security professionals are reporting Sip floods made with sipvicious tools.

This type of attacks named “friendly scanner” are often coming from User-Agent property containing “sipvicious”. This friendly scanner can cause a DDoS situation and paralyze a whole telephone infrastructure. 

Brute force 

The bruteforce attack module in SIPVicious (svcrack) can be used to brute force SIP credentials. This module will try to guess the SIP username and password by making multiple authentication attempts. When the password is cracked the attacker can perform a wide variety of hacks like toll-fraud.

Replay attack

A replay attack is when an attacker captures a valid request and then replays it at a later time. This can be used to perform actions that the attacker wants or to bypass security controls.

As many SIP devices allow nonce (cryptographic hash number) reusing, attackers just need to intercept it and replay it to gain access to a device or an extension.

The replay attack command (“reusenonce”) in sipvicious can be used to replay previously recorded SIP requests. This can be used to replay a call or to replay a request that will cause the server to perform an action that the attacker wants.

Protection against SIPVicious

There are some measures that can be taken to protect your network from “friendly scanner” attacks.

  1. Some user agent are known to be associated with the exploit 
sipcliGulp
sipvicioussipv
sip-scansmap
sipsakfriendly-request
sundayddrVaxIPUserAgent
friendly-scannerVaxSIPUserAgent
iWarsiparmyknife
CSipSimpleTest Agent
SIVuS
Suspect user-agent list
  1. When several failed register attempts are noticed you can temporarily ban the IP address associated. To do so you just have to block the IP address on the Access control list (ACL) of your session border controller.

The complete list of recommendations can be found on the Kolmisoft blog.

Is sip vicious legal ?

The use of SIP vicious is strictly reserved to audit operations, specifically pen test operations. The conditions of a pen test operation must figure in a contract between the hacker and the company. 

Any use of these tools outside of this type of agrement goes against the law.

It is possible to try and use sip vicious on your local network.

homme au téléphone

Protégez vos communications

Diskyver est un système de détection d’anomalies téléphoniques qui surveille votre infrastructure téléphonique à la recherche d’activités malveillantes ou de violations de politiques.

Découvrez la solution

Découvrez nos dernières publications

Asterisk installation : guide and purchase tips

Which asterisk installation alternative for your virtual IPBX ? Before starting your search for an IPBX solution, you need to define your company's needs. Take your current configuration as a reference and establish requirements: in a numerical way (number of lines,...

Session Border Controller: why your enterprise need it (SBC)

The Session Border Controller is an indispensable part of any telephony infrastructure, it is the gatekeeper. Like a security guard, it controls the network entrances. It is important that its capacities are adapted to the type of flow to be managed.  What is a...

4 tips to set up a user friendly IVR

"At the end of your message, if you want to change it, type pound ... " Beep!  If you hear these words and feel a mixture of frustration and anxiety, you are a normal human being. However, this is the most famous interactive voice server in the world: the...

What is Wireshark and how to use it

What is Wireshark ? Wireshark is a network packet analyzer. It capture network packets and display this data through a graphical user interface. It is a free and open-source tool. Cybersecurity professionals are using Wireshark to troubleshoot networks. With this tool...

STIR/SHAKEN: everything you need to know

The name "STIR/SHAKEN" refers to a set of protocols and procedures designed to fight caller ID spooffing. On March 31st, the Federal Communications Commission(FCC) of the United States voted in favor of the implementation of these rules. What is spoofing? Spoofing...

TDoS attack : How to protect yourself

Companies are targeted by a wide variety of cyber threats, including TDoS attack. This type of attack consists of flooding the targeted company's telephone servers with requests and then demanding a ransom in exchange for restoring the servers back to service. The...
WordPress Cookie Plugin by Real Cookie Banner